American Express Wants You To Use Lame Passwords

By cwaltersSeptember 24, 2009

We’re no longer indignant about Amex’s weirdly lax security policies anymore, we’re just confused. Why would a major credit card company cold call new customers and insist they give up bank and address info over the phone, or email sensitive data to strangers? Or, we just learned, demand that you use a lame password that isn’t case sensitive, is only 6 to 8 characters long, and can’t contain special characters?

Peter writes:

So I’m contemplating dropping my American Express Blue card, not because of the recent APR increases, but because of their website’s password policy.

According to their website:

Your Password should:

Contain 6 to 8 characters – at least one letter and one number (not case sensitive)

Contain no spaces or special characters (e.g., &, >, *, $, @)

Be different from your User ID and your last Password

That last one makes obvious sense, but to restrict a password to between 6-8 characters, and not allow special characters? That is HIGHLY insecure. I know I did my best to make as secure a password as possible with these limitations, but what about people who common, easily remembered, and highly guessable words as passwords? The limitation of 6-8 characters alone makes brute force a much more simple prospect. This complete disregard for security is quite bothersome

I’ve contacted a customer service rep about this in the past, but they of course had no acceptable answer. Any suggestions on how to bump this one up the chain?